🔍 Overview
|
Summary |
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints. |
|---|---|
|
Advisory Release Date |
|
|
Products |
eptos / eptos Search Engine |
|
Affected Releases |
eptos 6.* |
|
Fixed Releases |
N/A |
|
CVE ID |
|
|
Issue ID |
.jira-issue { padding: 0 0 0 2px; line-height: 20px; } .jira-issue img { padding-right: 5px; } .jira-issue .aui-lozenge { line-height: 18px; vertical-align: top; } .jira-issue .icon { background-position: left center; background-repeat: no-repeat; display: inline-block; font-size: 0; max-height: 16px; text-align: left; text-indent: -9999em; vertical-align: text-bottom; } BASE-2285 - Getting issue details... STATUS |
|
Further information |
|
Summary
The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
· react-server-dom-webpack
· react-server-dom-parcel
· react-server-dom-turbopack
Additionally, some frameworks or bundlers that depend on the React Server Components are also vulnerable:
· Next.js (14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7)
· Vite RSC Plugin
· Parcel RSC Plugin
· React Router RSC
· RedwoodSDK
· Waku
Software Fixes
What you need to do
No action required
Mitigation
Support
If you have questions or concerns regarding this advisory, check back with support (at) paradine,at and add BASE-2285 to your issue description.